Send modauthtkt-users mailing list submissions to
modauthtkt-users@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of modauthtkt-users digest..."
Today's Topics:
1. Re: DSA/RSA based derivative of mod_auth_tkt (Christian Folini)
2. Re: DSA/RSA based derivative of mod_auth_tkt (Jose Luis Martinez)
3. Re: Blogging about mod_auth_tkt (Jose Luis Martinez)
4. Minor bug in t/10_cookie_expiry.t (Steven Bakker)
5. Re: Minor bug in t/10_cookie_expiry.t (Gavin Carr)
6. Building against apache 2.2 headers (Katz, Aryeh (akatz))
7. mod_auth_tkt and apache 2.2 ([EMAIL PROTECTED])
8. Re: mod_auth_tkt and apache 2.2 (Peter Karman)
----------------------------------------------------------------------
Message: 1
Date: Tue, 5 Feb 2008 20:42:52 +0100
From: Christian Folini <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] DSA/RSA based derivative of
mod_auth_tkt
To: Manuel Kasper <[EMAIL PROTECTED]>
Cc: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=utf-8
On Tue, Feb 05, 2008 at 04:32:46PM +0100, Manuel Kasper wrote:
> > One thing that would be nice is a method for ticket refreshing (the
> > login server would only have to extend a valid ticket for more time).
> > Users tend to get frustrated if a system logs them off suddenly for no
> > apparent reason. This makes you put big validity times on the tickets.
>
> Sure - there's no reason why this cannot be implemented in the login
> server. mod_auth_pubtkt isn't involved in that (and aside from the
> example in PHP, it doesn't aim to provide a login server solution -
> just the verification module for Apache). If anybody volunteers to
> provide such an extension for the PHP example, I'll gladly include it
> in the distribution. :)
How would you guys do that? I believe it is quite challenging on
the http level.
Say a session reaches the time-to-refresh. The next request hitting
mod_auth_pubtkt would have to be redirected (?) to
http://loginserver/refresh.php. This is how I understand you.
But what happens at the end of refresh.php? A redirect back
like in the back-cookie during the login? Not feasible, as the
initial request hitting the refresh limit might have been a POST
request and there is no redirect for post-requests, where you could
keep the request body. A follow-up to a post request is always a get
request or you have to do some javascript stunts. As far as I can tell.
You start to interact with a running app here and I do not see
how it could work in a generic and reliable way.
However, if you manage to provide mod_auth_pubtkt including
refreshing, then it would be really cool.
How does the decryption compare to the shared secret decryption
performance-wise?
Regs,
Christian Folini
>
> - Manuel
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> modauthtkt-users mailing list
> modauthtkt-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
------------------------------
Message: 2
Date: Wed, 06 Feb 2008 12:02:53 +0100
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] DSA/RSA based derivative of
mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>> However, if you manage to provide mod_auth_pubtkt including
>> refreshing, then it would be really cool.
>
> Well, if you have an idea on how to best implement that, let me know.
>
Couldn't the module do a refresh request to the login server? (without
the browser even knowing).
I imagine it would go something like:
- Browser makes request to pubtkt location
- mod_auth_pubtkt sees that the ticket is refreshable
- mod_auth_pubtkt spawns a request to the login server giving him the
old ticket (I think Apache calls these subrequests)
- Login server verifies the old ticket, and if everything is OK,
serves a new refreshed ticket.
- mod_auth_pubtkt sets the recieved ticket in the response
- Browser will recieve the new ticket
I think ticket refreshing is important. Many applications will need the
refreshing behaviour, and if you don't give it to them, they will not be
able to use your module. If the application doesn't need or want
refreshing, you can always set the refreshable factor to 0 (a la
mod_auth_tkt... never refresh). It's all about option ;)
------------------------------
Message: 3
Date: Fri, 08 Feb 2008 09:40:17 +0100
From: Jose Luis Martinez <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Blogging about mod_auth_tkt
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Just blogged on getting mod_auth_tkt info to the backends ;)
Finally I opted to extend on the mod_headers solution (I think it's
cleaner and simpler), and just remark on the mod_rewrite solution.
Mod_rewite was a bit more troubling than I thought: the regexp on the
forum gave strange results, and I had to tweak it a little bit to get
the existing params passed along correctly.
http://pplusdomain.net/cgi-bin/blosxom.cgi
I'll try to get an example running where the password is stored in the
data section of the cookie.
Jose Luis Martinez
[EMAIL PROTECTED]
------------------------------
Message: 4
Date: Fri, 22 Feb 2008 15:38:42 +0100
From: Steven Bakker <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Minor bug in t/10_cookie_expiry.t
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain
Greetings,
I'd suggest changing line 141 in t/10_cookie_expiry.t.
It currently reads:
$calc = DateTime->now(time_zone => 'GMT')->add(years =>
1)->strftime('%Y-%m-%d');
It should read:
$calc = DateTime->now(time_zone => 'GMT')->add(days =>
365)->strftime('%Y-%m-%d');
DateTime takes leap years into account when adding year(s) to the
current date, while mod_auth_tkt's convert_to_seconds() uses 365 days.
As a result, this test (subtest 25) has been failing from March '07 and
will continue to fail until the end of this month ;-)
Cheers,
Steven
------------------------------
Message: 5
Date: Sat, 23 Feb 2008 21:44:44 +1100
From: Gavin Carr <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] Minor bug in t/10_cookie_expiry.t
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
On Fri, Feb 22, 2008 at 03:38:42PM +0100, Steven Bakker wrote:
> Greetings,
>
> I'd suggest changing line 141 in t/10_cookie_expiry.t.
>
> It currently reads:
>
> $calc = DateTime->now(time_zone => 'GMT')->add(years =>
> 1)->strftime('%Y-%m-%d');
>
> It should read:
>
> $calc = DateTime->now(time_zone => 'GMT')->add(days =>
> 365)->strftime('%Y-%m-%d');
>
> DateTime takes leap years into account when adding year(s) to the
> current date, while mod_auth_tkt's convert_to_seconds() uses 365 days.
>
> As a result, this test (subtest 25) has been failing from March '07 and
> will continue to fail until the end of this month ;-)
Thanks Steven, good catch. :-) Applied here.
Cheers,
Gavin
------------------------------
Message: 6
Date: Tue, 26 Feb 2008 07:22:48 -0500
From: "Katz, Aryeh \(akatz\)" <[EMAIL PROTECTED]>
Subject: [modauthtkt-users] Building against apache 2.2 headers
To: <modauthtkt-users@lists.sourceforge.net>
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Haven't tried to use the module yet, but at least it compiles and loads (as
per bin/httpd -t -D DUMP_MODULES)
$ diff -u mod_auth_tkt.c mod_auth_tkt.new.c
--- mod_auth_tkt.c 2006-12-01 06:47:39.000000000 +0000
+++ mod_auth_tkt.new.c 2008-02-26 12:18:39.000000000 +0000
@@ -16,7 +16,11 @@
#include "apr_strings.h"
#include "apr_uuid.h"
#include "apr_base64.h"
+#ifndef APACHE22
#include "pcreposix.h"
+#else
+#include "ap_regex.h"
+#endif
#define UUID_SUBS 2
#endif
#ifdef APACHE22
@@ -1128,8 +1132,13 @@
int guest_user_length;
apr_uuid_t *uuid;
char *uuid_str, *uuid_length_str;
+#ifndef APACHE22
regex_t *uuid_regex;
regmatch_t regm[UUID_SUBS];
+#else
+ ap_regex_t *uuid_regex;
+ ap_regmatch_t regm[UUID_SUBS];
+#endif
int uuid_length = -1;
char *uuid_pre, *uuid_post;
#endif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4958 bytes
Desc: not available
------------------------------
Message: 7
Date: Fri, 29 Feb 2008 13:38:58 +0000 (GMT)
From: "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]>
Subject: [modauthtkt-users] mod_auth_tkt and apache 2.2
To: modauthtkt-users@lists.sourceforge.net
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain;charset="UTF-8"
Dear all,
I am new to this list. So maybe my question has been discussed here before. I
have not
found it in the archive though.
Mod_auth_tkt for Apache 2.2 is marked as being experimental. In fact I got to
compile it
without hassle. Still I believe the code needs some work.
Apache depreceates the use of pcreposix and favors ap_regex instead.
Mod_auth_tkt still
uses pcreposix, which has to be included seperately as it is no longer part of
the
apache source code distribution.
Is somebody working on this? I am not a big coder myself, but I could give it a
shot
possibly...
Best regards,
Hansruedi
------------------------------
Message: 8
Date: Fri, 29 Feb 2008 08:15:01 -0600
From: Peter Karman <[EMAIL PROTECTED]>
Subject: Re: [modauthtkt-users] mod_auth_tkt and apache 2.2
To: modauthtkt-users@lists.sourceforge.net
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=UTF-8
On 02/29/2008 07:38 AM, [EMAIL PROTECTED] wrote:
> Apache depreceates the use of pcreposix and favors ap_regex instead.
> Mod_auth_tkt still
> uses pcreposix, which has to be included seperately as it is no longer part
> of the
> apache source code distribution.
>
> Is somebody working on this? I am not a big coder myself, but I could give it
> a shot
> possibly...
There have been a couple patches already sent to this list to address that
issue (and
other 2.2 issues). Search the archives.
Not sure if/when Gavin intends to apply them and push out another RC.
--
Peter Karman . [EMAIL PROTECTED] . http://peknet.com/
------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------
_______________________________________________
modauthtkt-users mailing list
modauthtkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/modauthtkt-users
End of modauthtkt-users Digest, Vol 16, Issue 2
***********************************************
